Changing behavior of new fullchain argument.

This commit is contained in:
Felix Fontein 2018-01-16 07:40:51 +01:00
parent f49a782099
commit 25b1db54cc

View file

@ -37,6 +37,7 @@ description:
- "Although the defaults are chosen so that the module can be used with - "Although the defaults are chosen so that the module can be used with
the Let's Encrypt CA, the module can be used with any service using the ACME the Let's Encrypt CA, the module can be used with any service using the ACME
v1 or v2 protocol." v1 or v2 protocol."
- "At least one of C(dest) and C(fullchain_dest) must be specified."
requirements: requirements:
- "python >= 2.6" - "python >= 2.6"
- openssl - openssl
@ -119,13 +120,17 @@ options:
- "The value that must be used here will be provided by a previous use - "The value that must be used here will be provided by a previous use
of this module." of this module."
dest: dest:
description: The destination file for the certificate. description:
required: true - "The destination file for the certificate."
- "Required if C(fullchain_dest) is not specified."
aliases: ['cert'] aliases: ['cert']
fullchain: fullchain_dest:
description: Include the full certificate chain in the destination file. description:
default: false - "The destination file for the full chain (i.e. certificate followed
by chain of intermediate certificates)."
- "Required if C(dest) is not specified."
version_added: 2.5 version_added: 2.5
aliases: ['fullchain']
remaining_days: remaining_days:
description: description:
- "The number of days the certificate must have left being valid. - "The number of days the certificate must have left being valid.
@ -150,7 +155,7 @@ EXAMPLES = '''
letsencrypt: letsencrypt:
account_key_content: "{{ lookup('hashi_vault', 'secret=secret/account_private_key:value') }}" account_key_content: "{{ lookup('hashi_vault', 'secret=secret/account_private_key:value') }}"
csr: /etc/pki/cert/csr/sample.com.csr csr: /etc/pki/cert/csr/sample.com.csr
dest: /etc/httpd/ssl/sample.com.crt fullchain_dest: /etc/httpd/ssl/sample.com-fullchain.crt
register: sample_com_challenge register: sample_com_challenge
# Alternative first step: # Alternative first step:
@ -159,6 +164,7 @@ EXAMPLES = '''
account_key_src: /etc/pki/cert/private/account.key account_key_src: /etc/pki/cert/private/account.key
csr: /etc/pki/cert/csr/sample.com.csr csr: /etc/pki/cert/csr/sample.com.csr
dest: /etc/httpd/ssl/sample.com.crt dest: /etc/httpd/ssl/sample.com.crt
fullchain_dest: /etc/httpd/ssl/sample.com-fullchain.crt
register: sample_com_challenge register: sample_com_challenge
# perform the necessary steps to fulfill the challenge # perform the necessary steps to fulfill the challenge
@ -174,6 +180,7 @@ EXAMPLES = '''
account_key_src: /etc/pki/cert/private/account.key account_key_src: /etc/pki/cert/private/account.key
csr: /etc/pki/cert/csr/sample.com.csr csr: /etc/pki/cert/csr/sample.com.csr
dest: /etc/httpd/ssl/sample.com.crt dest: /etc/httpd/ssl/sample.com.crt
fullchain_dest: /etc/httpd/ssl/sample.com-fullchain.crt
data: "{{ sample_com_challenge }}" data: "{{ sample_com_challenge }}"
### Example with DNS challenge against production ACME server ### ### Example with DNS challenge against production ACME server ###
@ -311,7 +318,8 @@ def simple_get(module, url):
def get_cert_days(module, cert_file): def get_cert_days(module, cert_file):
''' '''
Return the days the certificate in cert_file remains valid and -1 Return the days the certificate in cert_file remains valid and -1
if the file was not found. if the file was not found. If cert_file contains more than one
certificate, only the first one will be considered.
''' '''
if not os.path.exists(cert_file): if not os.path.exists(cert_file):
return -1 return -1
@ -725,7 +733,8 @@ class ACMEClient(object):
self.version = module.params['acme_version'] self.version = module.params['acme_version']
self.challenge = module.params['challenge'] self.challenge = module.params['challenge']
self.csr = module.params['csr'] self.csr = module.params['csr']
self.dest = module.params['dest'] self.dest = module.get('dest')
self.fullchain_dest = module.get('fullchain_dest')
self.account = ACMEAccount(module) self.account = ACMEAccount(module)
self.directory = self.account.directory self.directory = self.account.directory
self.data = module.params['data'] self.data = module.params['data']
@ -1060,7 +1069,7 @@ class ACMEClient(object):
Only do this if a destination file was provided and if all authorizations Only do this if a destination file was provided and if all authorizations
for the domains of the csr are valid. No Return value. for the domains of the csr are valid. No Return value.
''' '''
if self.dest is None: if self.dest is None and self.fullchain_dest is None:
return return
if self.finalize_uri is None and self.version != 1: if self.finalize_uri is None and self.version != 1:
return return
@ -1079,14 +1088,15 @@ class ACMEClient(object):
pem_cert = cert['cert'] pem_cert = cert['cert']
chain = [link for link in cert.get('chain', [])] chain = [link for link in cert.get('chain', [])]
if chain:
if self.module.params['fullchain']:
pem_cert += "\n".join(chain)
if write_file(self.module, self.dest, pem_cert.encode('utf8')): if self.dest and write_file(self.module, self.dest, pem_cert.encode('utf8')):
self.cert_days = get_cert_days(self.module, self.dest) self.cert_days = get_cert_days(self.module, self.dest)
self.changed = True self.changed = True
if self.fullchain_dest and write_file(self.module, self.fullchain_dest, (pem_cert + "\n".join(chain)).encode('utf8')):
self.cert_days = get_cert_days(self.module, self.fullchain_dest)
self.changed = True
def main(): def main():
module = AnsibleModule( module = AnsibleModule(
@ -1101,12 +1111,13 @@ def main():
challenge=dict(required=False, default='http-01', choices=['http-01', 'dns-01', 'tls-sni-02'], type='str'), challenge=dict(required=False, default='http-01', choices=['http-01', 'dns-01', 'tls-sni-02'], type='str'),
csr=dict(required=True, aliases=['src'], type='path'), csr=dict(required=True, aliases=['src'], type='path'),
data=dict(required=False, no_log=True, default=None, type='dict'), data=dict(required=False, no_log=True, default=None, type='dict'),
fullchain=dict(required=False, default=False, type='bool'), dest=dict(aliases=['cert'], type='path'),
dest=dict(required=True, aliases=['cert'], type='path'), fullchain_dest=dict(aliases=['fullchain'], type='path'),
remaining_days=dict(required=False, default=10, type='int'), remaining_days=dict(required=False, default=10, type='int'),
), ),
required_one_of=( required_one_of=(
['account_key_src', 'account_key_content'], ['account_key_src', 'account_key_content'],
['dest', 'fullchain_dest'],
), ),
mutually_exclusive=( mutually_exclusive=(
['account_key_src', 'account_key_content'], ['account_key_src', 'account_key_content'],
@ -1118,7 +1129,10 @@ def main():
module.run_command_environ_update = dict(LANG='C', LC_ALL='C', LC_MESSAGES='C', LC_CTYPE='C') module.run_command_environ_update = dict(LANG='C', LC_ALL='C', LC_MESSAGES='C', LC_CTYPE='C')
locale.setlocale(locale.LC_ALL, 'C') locale.setlocale(locale.LC_ALL, 'C')
cert_days = get_cert_days(module, module.params['dest']) if module.params.get('dest'):
cert_days = get_cert_days(module, module.params['dest'])
else:
cert_days = get_cert_days(module, module.params['fullchain_dest'])
if cert_days < module.params['remaining_days']: if cert_days < module.params['remaining_days']:
# If checkmode is active, base the changed state solely on the status # If checkmode is active, base the changed state solely on the status
# of the certificate file as all other actions (accessing an account, checking # of the certificate file as all other actions (accessing an account, checking